Facing down the Ramnit virus on Facebook: Tips for protection and clean-up
Takeaway: Bob Eisenhardt explains how the Facebook virus Ramnit works, why it’s so bad, and how it can affect much more than a Facebook account.
Cleaning up after Ramnit
Remedies for Facebook
Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.
How do I remove a computer virus?
If your computer is infected with a virus, you'll want to remove it as quickly as possible. A fast way to check for viruses is to use an online scanner, such as the Microsoft Safety Scanner. The scanner is a free online service that helps you identify and remove viruses, clean up your hard disk, and generally improve your computer's performance.
If you're not sure whether your computer has a virus, see How can I tell if my computer has a virus? to check for some telltale signs. To try a different online scanner, follow the links to other companies that provide them on the Windows Security software providers webpage.
If you can connect to the Internet
If you can reach a website using your web browser, run an online scan.
To run the Microsoft Safety Scanner
- Go to the Microsoft Safety Scannerwebpage to download the scanner.
- Click Download Now, and then follow the instructions on the screen.
If you can't connect to the Internet
If you can't get to the Microsoft Safety Scanner online, try restarting your computer in safe mode with networking enabled.
To restart in Safe Mode with networking enabled
- Restart your computer.
- When you see the computer manufacturer's logo, press and hold the F8 key.
- On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
- Log on to your computer with a user account that has administrator rights.
- Follow the steps above to run the Microsoft Safety Scanner.
For more information about different startup modes, see Start your computer in safe mode.
If you still can't access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. The following steps reset the proxy settings in the Windows registry so that you can access the Internet again.
To reset Internet Explorer proxy settings
- In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.-or-In Windows Vista, click the Start button , and then click Run.-or-In Windows XP, click Start, and then click Run.
- Copy and paste or type the following text in the Open box in the Run dialog box:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
- Click OK.
- In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.-or-In Windows Vista, click the Start button , and then click Run.-or-In Windows XP, click Start, and then click Run.
- Copy and paste or type the following text in the Open box in the Run dialog box:reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
- Click OK.
Restart Internet Explorer and then follow the steps listed previously to run the scanner.
Remove a virus manually
Sometimes a virus must be removed manually. This can become a technical process that you should only undertake if you have experience with the Windows registry and know how to view and delete system and program files in Windows.
First, identify the virus by name by running your antivirus program. If you don't have an antivirus program or if your program doesn't detect the virus, you might still be able to identify it by looking for clues about how it behaves. Write down the words in any messages it displays or, if you received the virus in email, write down the subject line or name of the file attached to the message. Then search an antivirus vendor's website for references to what you wrote down to try to find the name of the virus and instructions for how to remove it.
Recovery and prevention
After the virus is removed, you might need to reinstall some software or restore lost information. Doing regular backups on your files can help you avoid data loss if your computer becomes infected again. If you haven't kept backups in the past, we recommend that you start now.
To learn how to help protect your computer against viruses in the future, see How can I help protect my computer from viruses?
Recently I came across a malware sample which have made some suspicious network activity to a domain called zahlung.name. The domain name looks very suspicious (German word for “payment”) so I decided to take a closer look at the sample.
The Malware which I will talking about in this post is a Worm called W32.Ramnit. The Worm was first discovered in 2010 (in January by Synamtec and in August by McAfee).
*** Worm W32.Ramnit ***
Let’s take a quick look at the behavior of Ramnit. The Worm always installs itself into the same directory using the same filename:
C:\Program Files\Microsoft\DesktopLayer.exe
In this case the file has a very bad AV detection rate:
Filename: DesktopyLayer.exe
MD5: 8746774d1033048dcdc6f82ffaffd80d
SHA1: 142fca53e1ffd6b40803d7989417fd6e4fbab1b4
File size: 51’200 bytes
VT Result: 3 /43 (7.0%)
After the Worm infected the computer, it starts iexplore.exe in a invisible mode and injects itself into the process. In this way the Worm is able to bypass the local Firewall and communicate with it’s Command&Control Server (C&C).
As soon as the computer is infected, the Worm starts to spread itself by infecting all files on the victim’s computer which have the file extension EXE, DLL or HTML. For example, if Quick Time Player is installed on the victim’s computer the Worm will automatically search thru the directory and infecting the EXE, DLL and HTML files. Below is a screenshort of a clean systems (before the infection):
Followed by a screenshot of a infected system (same directory):
Note that the file size and date modified of the infected files has changed. The same goes for other directories with EXE, DLL or HTML files for example the Adobe Reader directory (before the infection):
And after infection:
Let’s compare the original (clean) files with the infected files which has been patched by Worm Ramnit:
*** QTTask.exe (Quick Time) ***
Clean
* MD5: 6df76965a0fb8237e9c3b3cab9815ec2
* File size: 413’696 bytes
* VT result: 0/41 (0.0%)
Infected
* MD5: c32b6f477c5454d4e2cded81e686036d
* File size: 466’944 bytes
* VT result: 38/42 (90.5%)
*** AGM.dll (Adobe Reader) ***
Clean
* MD5: 8f0b2030b5e42235c855a94a17f57118
* File size: 4’883’456 bytes
* VT result: 0/41 (0.0%)
Infected
* MD5: 833c79d662f8cc47579540dc03505419
* File size: 4’936’192 bytes
* VT result: 39/43 (90.7%)
As shown on Virustotal, the files which have been infected by the Worm are pretty good detected by most of the AV engines.
If we take a closer look into a infected HTML file we will see that the Worm has added a VB-Script at the end of the file:
<script type='text/javascript'>
<SCRIPT Language=VBScript>
If a user runs the HTML file, the VB-Script will drop a file called “svchost.exe” and infect the computer.
*** C&C Communication ***
The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs). Since August 2010 I’ve seen three different domain names which are being used by Worm Ramnit:
- zahlung.name (Firstseen on 2010-10-01)
- glavdmn.com (Firstseen on 2010-09-16)
- fget-career.com (Firstseen on 2010-09-03)
I’ve Google for all three domain names and I haven’t found any evidence which would show that these domain names are malicious. But of course they are. Unfortunately, if we lookup those domain names on URLVoid it won’t look better:
- www.urlvoid.com/scan/zahlung.name [Detection: 1/17 (6 %)]
- www.urlvoid.com/scan/glavdmn.com [Detection: 1/17 (6 %)]
- www.urlvoid.com/scan/fget-career.com [Detection: 1/17 (6 %)]
It’s a pretty good example that sometimes the AV industry fails.
*** How the Worm spread itself ***
Worm Ramnit uses several ways to spread itself and infect other computers:
- Drive-By exploits
- Infecting EXE, DLL and HTML files on the victims computer
- Infecting removable medium including USB Stick, USB Harddrives and CDs
*** Conclusion ***
Due to the fact, that the Worm installs itself always as “DesktopLayer.exe”, it shouldn’t be to hard to identify infected systems. If you Google for “DesktopLayer.exe” you will see over 30’000 hits including users who complaining about the file “DesktopLayer.exe” which they just found on their computer. So it looks like the Worm is already pretty wide spreaded.
As already mentioned before, the Worm has various methods how he can spread itself. Mainly worms are a big problem for large networks (like coperate or governmental networks): If you have one infected computer the Worm will spread quickly within your network by infecting removable drivers or files one networks shares.
The mentioned C&C domain names which are associated with Worm Ramnit are already listed on AMaDa. Therefore you can use the AMaDa C&C Domain Blocklist to block C&C traffic or identify infected systems in your network.
Virus That Blocks Itself | Posted by ThreatSolutions @ 08:42 GMT |
Virus:W32/Ramnit is no stranger to many malware analysts/researchers, as it was in the wild back in 2010.
Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an "easter egg" — waiting to be discovered.
One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.
In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not easily visible to users and able to bypass the firewall.
Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:
The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.
Another noteworthy detail in Ramnit is its "easter egg", found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:
Basically, this easter egg navigates to the registry key and looks for "WASAntidot":
When we try to create "WASAntidot" registry key on a test machine, we see this:
Voila! The machine is safe from Ramnit infection now!
Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an "easter egg" — waiting to be discovered.
One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.
In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not easily visible to users and able to bypass the firewall.
Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:
The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.
Another noteworthy detail in Ramnit is its "easter egg", found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:
Basically, this easter egg navigates to the registry key and looks for "WASAntidot":
When we try to create "WASAntidot" registry key on a test machine, we see this:
Voila! The machine is safe from Ramnit infection now!
No comments:
Post a Comment